Your browser is obsolete!

The page may not load correctly.

The workshop

Кухня

Other issues in this category (24)
  • add to favourites
    Add to Bookmarks

Tricks with files

Read: 2123 Comments: 17 Rating: 45

If you've ever seen the results of comparative anti-virus software tests, you’ve probably noticed that the number of objects scanned can vary greatly depending on the product being tested. And sometimes these figures are significantly higher than the number of files in a scanned collection. The reason for this is rather prosaic.

An anti-virus is also a universal decompressor that allows any object to be split into parts, even a corrupted object that can’t be processed by any archive extraction utility.

Here are just two paragraphs of anti-virus requirements from a tender document:

The installed anti-virus must scan:

  • files and objects in the following formats: Smart Install Maker (SIM); DMG, HFS, XAR, Universal Binary (MacOS); SIS (Symbian 9); INNO SETUP (5.3.9 and later); SETUP FACTORY (line-up 7,8); XENOCODE; TARMA INSTALL (line-up 3); XZ (UNIX); COMPRESS; SQUAHFS; CHILKAT ZIP; and LHA packages (AWARD BIOS),
  • files and objects in the following self-extracting archives: AppPackager, Astrum Install Wizard, Create Install, Fly Studio, GSFX, Hot Soup, Inno Setup, Install Essen, Install Factory, Linder Setup, NSIS (NullSoft Installation System), RSFX, SEA, Setup Factory, Setup Generator Pro, SXA ZIP, Tarma Install, Thunder Setup System, Wise Installation System, and Alloy.

And far more formats exist than that!

But even ordinary anti-virus scanning can present surprises with regards to the number of objects scanned. Take, for example, a zero-size file:

#drweb

Let's have the anti-virus scan it.

#drweb

#drweb

What’s this? A miracle? Why have two objects been scanned? Was the counter bumped up? Actually, everything is on the level: an anti-virus scans files (and folders) according to parameters that are invisible to ordinary users.

Remember the fictional character Mary Poppins who had a magical handbag in which she could store all sorts of items, no matter what shape or size? Neither the size nor the weight of her handbag ever changed. Files and directories in the NTFS file system used in Windows are just like that “magical handbag”.

Everyone knows that a file has attributes—read and write permissions.

#drweb

But, in addition to these attributes, you can assign others for a file (and a folder)—and they won’t be visible to users who use traditional file managers.

For example, in a zero-size file, you can write another file.

Take an eicar test virus (for example, at http://www.eicar.org/85-0-Download.html). This "program" (EICAR-European Institute for Computer Anti-Virus Research) has been specially designed to let users see how an anti-virus will report a detected virus, without subjecting their computers to any danger.

But don’t forget to disable your anti-virus protection before you download this test file; otherwise, you will see something like this:

#drweb

Go to a command line, and copy the downloaded fake anti-virus into any file.

#drweb

Open a file manager, and make sure that the file size has not changed:

#drweb

After this, scan this file:

#drweb

So that's how you can hide some important objects from a user's attention.

Important!

  • Conduct experiments on computers that are disconnected from a local network.
  • Don't forget to run an anti-virus scan immediately after your experiments have finished.

After all, each case is unique…

Dr.Web recommends

The Dr.Web anti-virus finds viruses no matter where they may be hiding. But there’s no reason to hope that you know your system better than cybercriminals and that you’ll absolutely notice a virus when one appears. You shouldn’t overestimate your capabilities and underestimate cybercriminals!

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments